Professional Web Applications Themes

HELP! CreateProcessWithLogonW issue - ASP.NET Web Services

Hi, I hope someone can help me with this - it's driving us all nuts. We have an ASP.Net web application that must run an external executable to accomplish a doent merge function. We got this to work on Windows XP using the following code (low level API calls). Before we call the RunIt method, we successfully impersonate with the same Domain/UserID/Password as is passed into the method. As I said, all is well in Win XP, however, when we try to execute the code in Server 2003, the executable just hangs. It doesn't get to any of the database ...

  1. #1

    Default HELP! CreateProcessWithLogonW issue

    Hi,

    I hope someone can help me with this - it's driving us all nuts.

    We have an ASP.Net web application that must run an external executable to
    accomplish a doent merge function. We got this to work on Windows XP
    using the following code (low level API calls). Before we call the RunIt
    method, we successfully impersonate with the same Domain/UserID/Password as
    is passed into the method. As I said, all is well in Win XP, however, when
    we try to execute the code in Server 2003, the executable just hangs. It
    doesn't get to any of the database processing (I know because I traced it)
    so I am assuming it is hanging up almost immediately.

    We have set the following permissions on the Server 2003 box:
    SE_ASSIGNPRIMARYTOKEN_NAME by modifying the Local Security Policy ("Replace
    a process level token")
    - AND -
    SE_INCREASE_QUOTA_NAME by modifying the Local Security Policy ("Adjust
    memory quotas for a process")

    The RunIt method that we are executing is below:

    public string RunIt(string userID, string password, string domain, string
    appString, string argString)
    {
    string rc = "";

    // Account to run as
    string _logonName = userID; // some user
    string _domain = domain; // domain
    string _password = password;

    StringBuilder sb = new StringBuilder();
    // command to execute
    string commandString = appString + " " + argString;
    sb.Append(commandString);

    PROCESS_INFORMATION processInfo;
    STARTUPINFO startInfo = new STARTUPINFO();

    startInfo.cb = Marshal.SizeOf(startInfo);
    startInfo.lpTitle = null;
    startInfo.dwFlags = STARTF_USECOUNTCHARS;
    startInfo.dwYCountChars = 50;

    // create process similar as "runas" using the logon users profile
    bool ret = CreateProcessWithLogonW(_logonName, _domain, _password,
    LOGON_WITH_PROFILE, null, sb,
    NORMAL_PRIORITY_CLASS | CREATE_UNICODE_ENVIRONMENT,
    IntPtr.Zero, "c:\\",
    ref startInfo, out processInfo);
    if(!ret)
    {
    // If failure ...
    rc = "Error: {0}" + Marshal.GetLastWin32Error() + commandString;
    }
    else
    {
    CloseHandle(processInfo.hThread);
    WaitForSingleObject(processInfo.hProcess,
    System.Threading.Timeout.Infinite);
    CloseHandle(processInfo.hProcess);
    }

    return rc;
    }

    ANY help would be appreciated!!!
    Thanks in advance.
    Charlie
    charlie@nunya.com Guest

  2. #2

    Default HELP! CreateProcessWithLogonW issue

    Hi,

    I hope someone can help me with this - it's driving us all nuts.

    We have an ASP.Net web application that must run an external executable to
    accomplish a doent merge function. We got this to work on Windows XP
    using the following code (low level API calls). Before we call the RunIt
    method, we successfully impersonate with the same Domain/UserID/Password as
    is passed into the method. As I said, all is well in Win XP, however, when
    we try to execute the code in Server 2003, the executable just hangs. It
    doesn't get to any of the database processing (I know because I traced it)
    so I am assuming it is hanging up almost immediately.

    We have set the following permissions on the Server 2003 box:
    SE_ASSIGNPRIMARYTOKEN_NAME by modifying the Local Security Policy ("Replace
    a process level token")
    - AND -
    SE_INCREASE_QUOTA_NAME by modifying the Local Security Policy ("Adjust
    memory quotas for a process")

    The RunIt method that we are executing is below:

    public string RunIt(string userID, string password, string domain, string
    appString, string argString)
    {
    string rc = "";

    // Account to run as
    string _logonName = userID; // some user
    string _domain = domain; // domain
    string _password = password;

    StringBuilder sb = new StringBuilder();
    // command to execute
    string commandString = appString + " " + argString;
    sb.Append(commandString);

    PROCESS_INFORMATION processInfo;
    STARTUPINFO startInfo = new STARTUPINFO();

    startInfo.cb = Marshal.SizeOf(startInfo);
    startInfo.lpTitle = null;
    startInfo.dwFlags = STARTF_USECOUNTCHARS;
    startInfo.dwYCountChars = 50;

    // create process similar as "runas" using the logon users profile
    bool ret = CreateProcessWithLogonW(_logonName, _domain, _password,
    LOGON_WITH_PROFILE, null, sb,
    NORMAL_PRIORITY_CLASS | CREATE_UNICODE_ENVIRONMENT,
    IntPtr.Zero, "c:\\",
    ref startInfo, out processInfo);
    if(!ret)
    {
    // If failure ...
    rc = "Error: {0}" + Marshal.GetLastWin32Error() + commandString;
    }
    else
    {
    CloseHandle(processInfo.hThread);
    WaitForSingleObject(processInfo.hProcess,
    System.Threading.Timeout.Infinite);
    CloseHandle(processInfo.hProcess);
    }

    return rc;
    }

    ANY help would be appreciated!!!
    Thanks in advance.
    Charlie
    charlie@nunya.com Guest

  3. #3

    Default Re: HELP! CreateProcessWithLogonW issue

    Once again, I am answering my own query hoping that this might help someone
    else at some point (does anyone from microsoft ever answere questions that
    border on the hard to solve?).

    Anyway - we solved this issue using WMI. It works great but there were a
    couple of quirks which I hope I have doented below. The code is taken
    out of context so I make no gaurantee that it will compile as presented.
    There were some good references for WMI and C# on the web. I didn't
    remember to save the url's but a quick search will turn them up.
    Ultimately, I believe this solution to be a little "cleaner" than the low
    level API call that we were using as it uses Framework classes to get the
    work done.

    public void RunWIM(string domain, string userID, string pwd, string
    appString, string argString)
    {
    string rc = "";
    ConnectionOptions options = new ConnectionOptions();
    string serverName = Dns.GetHostName();
    // because we are running against the local machine we can't validate
    // we are impersonating at this point so we have the correct security
    // level
    //options.Username = domain + "\" + userID;
    //options.Password = pwd;
    //Create a scope to work in
    ManagementScope WmiScope = new ManagementScope("\\" + serverName, options);
    WmiScope.Connect();
    ManagementClass processClass = new ManagementClass("Win32_Process");
    processClass.Scope = WmiScope;
    //Get an input parameters object for this method
    ManagementBaseObject inParams = processClass.GetMethodParameters("Create");
    //Fill in input parameter values
    inParams["CommandLine"] = appString + " " + argString;
    // this will execute our command but it will not wait for the job to
    complete...
    ManagementBaseObject outParams = processClass.InvokeMethod("Create",
    inParams, null);
    }

    The calling method has this code in it - we are creating some files and
    writing them to disk so we just put some simple logic in a while loop to
    make sure we waited until the process finished:
    int x = 0;
    bool goOn = false;
    Impersonation i = new Impersonation();
    string userID = "username";
    string password = "password";
    string domain = ConfigurationSettings.AppSettings.Get("Default_Do main");
    string app = pAppPath + "Tools\MergeEngine.exe";
    string args = iniFile;
    try
    {
    RunProcessAs rp = new RunProcessAs();
    rc = rp.RunWIM(domain,userID,password,app,args);
    }
    catch (Exception e)
    {
    rc = e.ToString();
    }

    I hope this will help someone - we struggled with the API call for a couple
    of days but we got this going in less than an hour.
    Charlie
    charlie@nunya.com Guest

  4. #4

    Default Re: HELP! CreateProcessWithLogonW issue

    Once again, I am answering my own query hoping that this might help someone
    else at some point (does anyone from microsoft ever answere questions that
    border on the hard to solve?).

    Anyway - we solved this issue using WMI. It works great but there were a
    couple of quirks which I hope I have doented below. The code is taken
    out of context so I make no gaurantee that it will compile as presented.
    There were some good references for WMI and C# on the web. I didn't
    remember to save the url's but a quick search will turn them up.
    Ultimately, I believe this solution to be a little "cleaner" than the low
    level API call that we were using as it uses Framework classes to get the
    work done.

    public void RunWIM(string domain, string userID, string pwd, string
    appString, string argString)
    {
    string rc = "";
    ConnectionOptions options = new ConnectionOptions();
    string serverName = Dns.GetHostName();
    // because we are running against the local machine we can't validate
    // we are impersonating at this point so we have the correct security
    // level
    //options.Username = domain + "\" + userID;
    //options.Password = pwd;
    //Create a scope to work in
    ManagementScope WmiScope = new ManagementScope("\\" + serverName, options);
    WmiScope.Connect();
    ManagementClass processClass = new ManagementClass("Win32_Process");
    processClass.Scope = WmiScope;
    //Get an input parameters object for this method
    ManagementBaseObject inParams = processClass.GetMethodParameters("Create");
    //Fill in input parameter values
    inParams["CommandLine"] = appString + " " + argString;
    // this will execute our command but it will not wait for the job to
    complete...
    ManagementBaseObject outParams = processClass.InvokeMethod("Create",
    inParams, null);
    }

    The calling method has this code in it - we are creating some files and
    writing them to disk so we just put some simple logic in a while loop to
    make sure we waited until the process finished:
    int x = 0;
    bool goOn = false;
    Impersonation i = new Impersonation();
    string userID = "username";
    string password = "password";
    string domain = ConfigurationSettings.AppSettings.Get("Default_Do main");
    string app = pAppPath + "Tools\MergeEngine.exe";
    string args = iniFile;
    try
    {
    RunProcessAs rp = new RunProcessAs();
    rc = rp.RunWIM(domain,userID,password,app,args);
    }
    catch (Exception e)
    {
    rc = e.ToString();
    }

    I hope this will help someone - we struggled with the API call for a couple
    of days but we got this going in less than an hour.
    Charlie
    charlie@nunya.com Guest

  5. #5

    Default Re: HELP! CreateProcessWithLogonW issue

    I have the same issue with using CreateProcessWithLogonW on a 2003
    machine. The application does not start. It doesn't even generate an
    error message. I tried using the below example but it will not work
    when trying to login to the same machine.

    Does anyone know how to deal with this Server 2003 security issue? I
    have granted about every local security setting policy setting to both
    the ID doing the impersonation and the ID it is trying to impersonate
    to.

    I am trying to start an app under a specific ID from a windows
    service. It works great on Server 2000 but not 2003.



    [email]charlienunya.com[/email] wrote in message news:<HUFLc.4611$2b2.2894newssvr22.news.prodigy.c om>...
    > Once again, I am answering my own query hoping that this might help someone
    > else at some point (does anyone from microsoft ever answere questions that
    > border on the hard to solve?).
    >
    > Anyway - we solved this issue using WMI. It works great but there were a
    > couple of quirks which I hope I have doented below. The code is taken
    > out of context so I make no gaurantee that it will compile as presented.
    > There were some good references for WMI and C# on the web. I didn't
    > remember to save the url's but a quick search will turn them up.
    > Ultimately, I believe this solution to be a little "cleaner" than the low
    > level API call that we were using as it uses Framework classes to get the
    > work done.
    >
    > public void RunWIM(string domain, string userID, string pwd, string
    > appString, string argString)
    > {
    > string rc = "";
    > ConnectionOptions options = new ConnectionOptions();
    > string serverName = Dns.GetHostName();
    > // because we are running against the local machine we can't validate
    > // we are impersonating at this point so we have the correct security
    > // level
    > //options.Username = domain + "\" + userID;
    > //options.Password = pwd;
    > //Create a scope to work in
    > ManagementScope WmiScope = new ManagementScope("\\" + serverName, options);
    > WmiScope.Connect();
    > ManagementClass processClass = new ManagementClass("Win32_Process");
    > processClass.Scope = WmiScope;
    > //Get an input parameters object for this method
    > ManagementBaseObject inParams = processClass.GetMethodParameters("Create");
    > //Fill in input parameter values
    > inParams["CommandLine"] = appString + " " + argString;
    > // this will execute our command but it will not wait for the job to
    > complete...
    > ManagementBaseObject outParams = processClass.InvokeMethod("Create",
    > inParams, null);
    > }
    >
    > The calling method has this code in it - we are creating some files and
    > writing them to disk so we just put some simple logic in a while loop to
    > make sure we waited until the process finished:
    > int x = 0;
    > bool goOn = false;
    > Impersonation i = new Impersonation();
    > string userID = "username";
    > string password = "password";
    > string domain = ConfigurationSettings.AppSettings.Get("Default_Do main");
    > string app = pAppPath + "Tools\MergeEngine.exe";
    > string args = iniFile;
    > try
    > {
    > RunProcessAs rp = new RunProcessAs();
    > rc = rp.RunWIM(domain,userID,password,app,args);
    > }
    > catch (Exception e)
    > {
    > rc = e.ToString();
    > }
    >
    > I hope this will help someone - we struggled with the API call for a couple
    > of days but we got this going in less than an hour.
    > Charlie
    Andrew Zimmer Guest

  6. #6

    Default Re: HELP! CreateProcessWithLogonW issue

    I have the same issue with using CreateProcessWithLogonW on a 2003
    machine. The application does not start. It doesn't even generate an
    error message. I tried using the below example but it will not work
    when trying to login to the same machine.

    Does anyone know how to deal with this Server 2003 security issue? I
    have granted about every local security setting policy setting to both
    the ID doing the impersonation and the ID it is trying to impersonate
    to.

    I am trying to start an app under a specific ID from a windows
    service. It works great on Server 2000 but not 2003.



    [email]charlienunya.com[/email] wrote in message news:<HUFLc.4611$2b2.2894newssvr22.news.prodigy.c om>...
    > Once again, I am answering my own query hoping that this might help someone
    > else at some point (does anyone from microsoft ever answere questions that
    > border on the hard to solve?).
    >
    > Anyway - we solved this issue using WMI. It works great but there were a
    > couple of quirks which I hope I have doented below. The code is taken
    > out of context so I make no gaurantee that it will compile as presented.
    > There were some good references for WMI and C# on the web. I didn't
    > remember to save the url's but a quick search will turn them up.
    > Ultimately, I believe this solution to be a little "cleaner" than the low
    > level API call that we were using as it uses Framework classes to get the
    > work done.
    >
    > public void RunWIM(string domain, string userID, string pwd, string
    > appString, string argString)
    > {
    > string rc = "";
    > ConnectionOptions options = new ConnectionOptions();
    > string serverName = Dns.GetHostName();
    > // because we are running against the local machine we can't validate
    > // we are impersonating at this point so we have the correct security
    > // level
    > //options.Username = domain + "\" + userID;
    > //options.Password = pwd;
    > //Create a scope to work in
    > ManagementScope WmiScope = new ManagementScope("\\" + serverName, options);
    > WmiScope.Connect();
    > ManagementClass processClass = new ManagementClass("Win32_Process");
    > processClass.Scope = WmiScope;
    > //Get an input parameters object for this method
    > ManagementBaseObject inParams = processClass.GetMethodParameters("Create");
    > //Fill in input parameter values
    > inParams["CommandLine"] = appString + " " + argString;
    > // this will execute our command but it will not wait for the job to
    > complete...
    > ManagementBaseObject outParams = processClass.InvokeMethod("Create",
    > inParams, null);
    > }
    >
    > The calling method has this code in it - we are creating some files and
    > writing them to disk so we just put some simple logic in a while loop to
    > make sure we waited until the process finished:
    > int x = 0;
    > bool goOn = false;
    > Impersonation i = new Impersonation();
    > string userID = "username";
    > string password = "password";
    > string domain = ConfigurationSettings.AppSettings.Get("Default_Do main");
    > string app = pAppPath + "Tools\MergeEngine.exe";
    > string args = iniFile;
    > try
    > {
    > RunProcessAs rp = new RunProcessAs();
    > rc = rp.RunWIM(domain,userID,password,app,args);
    > }
    > catch (Exception e)
    > {
    > rc = e.ToString();
    > }
    >
    > I hope this will help someone - we struggled with the API call for a couple
    > of days but we got this going in less than an hour.
    > Charlie
    Andrew Zimmer Guest

  7. #7

    Default Re: HELP! CreateProcessWithLogonW issue

    If your service is started under Local System account, this is a known issue
    in Windows Server 2003 and XPSP2 - the CreateProcessWithLogonW API is
    changed to better handle the new process' use of desktop by utilizing "Logon
    Sid" in the caller's token. However the local system token (under which your
    GINA is running) doesn't have a "Logon sid" so the API failed when caller is
    local system.

    You can use LogonUser and CreateProcessAsUser to achieve the same thing.

    This info will be included in next release of MSDN.

    --
    Yu Chen [MS]
    This posting is provided "AS IS" with no warranties, and confers no rights.

    "Andrew Zimmer" <zimmeracharter.net> wrote in message
    news:485f505f.0408181919.5adec780posting.google.c om...
    > I have the same issue with using CreateProcessWithLogonW on a 2003
    > machine. The application does not start. It doesn't even generate an
    > error message. I tried using the below example but it will not work
    > when trying to login to the same machine.
    >
    > Does anyone know how to deal with this Server 2003 security issue? I
    > have granted about every local security setting policy setting to both
    > the ID doing the impersonation and the ID it is trying to impersonate
    > to.
    >
    > I am trying to start an app under a specific ID from a windows
    > service. It works great on Server 2000 but not 2003.

    Yu Chen [MS] Guest

  8. #8

    Default Re: HELP! CreateProcessWithLogonW issue

    If your service is started under Local System account, this is a known issue
    in Windows Server 2003 and XPSP2 - the CreateProcessWithLogonW API is
    changed to better handle the new process' use of desktop by utilizing "Logon
    Sid" in the caller's token. However the local system token (under which your
    GINA is running) doesn't have a "Logon sid" so the API failed when caller is
    local system.

    You can use LogonUser and CreateProcessAsUser to achieve the same thing.

    This info will be included in next release of MSDN.

    --
    Yu Chen [MS]
    This posting is provided "AS IS" with no warranties, and confers no rights.

    "Andrew Zimmer" <zimmeracharter.net> wrote in message
    news:485f505f.0408181919.5adec780posting.google.c om...
    > I have the same issue with using CreateProcessWithLogonW on a 2003
    > machine. The application does not start. It doesn't even generate an
    > error message. I tried using the below example but it will not work
    > when trying to login to the same machine.
    >
    > Does anyone know how to deal with this Server 2003 security issue? I
    > have granted about every local security setting policy setting to both
    > the ID doing the impersonation and the ID it is trying to impersonate
    > to.
    >
    > I am trying to start an app under a specific ID from a windows
    > service. It works great on Server 2000 but not 2003.

    Yu Chen [MS] Guest

  9. #9

    Default Re: HELP! CreateProcessWithLogonW issue

    Please ignore the "GINA" part below - it's a cut & paste from an earlier
    reply to another thread.
    > If your service is started under Local System account, this is a known
    issue
    > in Windows Server 2003 and XPSP2 - the CreateProcessWithLogonW API is
    > changed to better handle the new process' use of desktop by utilizing
    "Logon
    > Sid" in the caller's token. However the local system token (under which
    your
    > GINA is running) doesn't have a "Logon sid" so the API failed when caller
    is
    > local system.
    >
    > You can use LogonUser and CreateProcessAsUser to achieve the same thing.
    >
    > This info will be included in next release of MSDN.
    >
    > --
    > Yu Chen [MS]
    > This posting is provided "AS IS" with no warranties, and confers no
    rights.
    >
    > "Andrew Zimmer" <zimmeracharter.net> wrote in message
    > news:485f505f.0408181919.5adec780posting.google.c om...
    > > I have the same issue with using CreateProcessWithLogonW on a 2003
    > > machine. The application does not start. It doesn't even generate an
    > > error message. I tried using the below example but it will not work
    > > when trying to login to the same machine.
    > >
    > > Does anyone know how to deal with this Server 2003 security issue? I
    > > have granted about every local security setting policy setting to both
    > > the ID doing the impersonation and the ID it is trying to impersonate
    > > to.
    > >
    > > I am trying to start an app under a specific ID from a windows
    > > service. It works great on Server 2000 but not 2003.
    >
    >

    Yu Chen [MS] Guest

  10. #10

    Default Re: HELP! CreateProcessWithLogonW issue

    Please ignore the "GINA" part below - it's a cut & paste from an earlier
    reply to another thread.
    > If your service is started under Local System account, this is a known
    issue
    > in Windows Server 2003 and XPSP2 - the CreateProcessWithLogonW API is
    > changed to better handle the new process' use of desktop by utilizing
    "Logon
    > Sid" in the caller's token. However the local system token (under which
    your
    > GINA is running) doesn't have a "Logon sid" so the API failed when caller
    is
    > local system.
    >
    > You can use LogonUser and CreateProcessAsUser to achieve the same thing.
    >
    > This info will be included in next release of MSDN.
    >
    > --
    > Yu Chen [MS]
    > This posting is provided "AS IS" with no warranties, and confers no
    rights.
    >
    > "Andrew Zimmer" <zimmeracharter.net> wrote in message
    > news:485f505f.0408181919.5adec780posting.google.c om...
    > > I have the same issue with using CreateProcessWithLogonW on a 2003
    > > machine. The application does not start. It doesn't even generate an
    > > error message. I tried using the below example but it will not work
    > > when trying to login to the same machine.
    > >
    > > Does anyone know how to deal with this Server 2003 security issue? I
    > > have granted about every local security setting policy setting to both
    > > the ID doing the impersonation and the ID it is trying to impersonate
    > > to.
    > >
    > > I am trying to start an app under a specific ID from a windows
    > > service. It works great on Server 2000 but not 2003.
    >
    >

    Yu Chen [MS] Guest

  11. #11

    Default Re: HELP! CreateProcessWithLogonW issue

    Actually, I the service is logged on as an admin on the machine. It
    also has every local security policy setting imaginable.



    "Yu Chen [MS]" <yuchenonline.microsoft.com> wrote in message news:<Oin6dojhEHA.384TK2MSFTNGP10.phx.gbl>...
    > If your service is started under Local System account, this is a known issue
    > in Windows Server 2003 and XPSP2 - the CreateProcessWithLogonW API is
    > changed to better handle the new process' use of desktop by utilizing "Logon
    > Sid" in the caller's token. However the local system token (under which your
    > GINA is running) doesn't have a "Logon sid" so the API failed when caller is
    > local system.
    >
    > You can use LogonUser and CreateProcessAsUser to achieve the same thing.
    >
    > This info will be included in next release of MSDN.
    >
    > --
    > Yu Chen [MS]
    > This posting is provided "AS IS" with no warranties, and confers no rights.
    >
    > "Andrew Zimmer" <zimmeracharter.net> wrote in message
    > news:485f505f.0408181919.5adec780posting.google.c om...
    > > I have the same issue with using CreateProcessWithLogonW on a 2003
    > > machine. The application does not start. It doesn't even generate an
    > > error message. I tried using the below example but it will not work
    > > when trying to login to the same machine.
    > >
    > > Does anyone know how to deal with this Server 2003 security issue? I
    > > have granted about every local security setting policy setting to both
    > > the ID doing the impersonation and the ID it is trying to impersonate
    > > to.
    > >
    > > I am trying to start an app under a specific ID from a windows
    > > service. It works great on Server 2000 but not 2003.
    Andrew Zimmer Guest

  12. #12

    Default Re: HELP! CreateProcessWithLogonW issue

    Actually, I the service is logged on as an admin on the machine. It
    also has every local security policy setting imaginable.



    "Yu Chen [MS]" <yuchenonline.microsoft.com> wrote in message news:<Oin6dojhEHA.384TK2MSFTNGP10.phx.gbl>...
    > If your service is started under Local System account, this is a known issue
    > in Windows Server 2003 and XPSP2 - the CreateProcessWithLogonW API is
    > changed to better handle the new process' use of desktop by utilizing "Logon
    > Sid" in the caller's token. However the local system token (under which your
    > GINA is running) doesn't have a "Logon sid" so the API failed when caller is
    > local system.
    >
    > You can use LogonUser and CreateProcessAsUser to achieve the same thing.
    >
    > This info will be included in next release of MSDN.
    >
    > --
    > Yu Chen [MS]
    > This posting is provided "AS IS" with no warranties, and confers no rights.
    >
    > "Andrew Zimmer" <zimmeracharter.net> wrote in message
    > news:485f505f.0408181919.5adec780posting.google.c om...
    > > I have the same issue with using CreateProcessWithLogonW on a 2003
    > > machine. The application does not start. It doesn't even generate an
    > > error message. I tried using the below example but it will not work
    > > when trying to login to the same machine.
    > >
    > > Does anyone know how to deal with this Server 2003 security issue? I
    > > have granted about every local security setting policy setting to both
    > > the ID doing the impersonation and the ID it is trying to impersonate
    > > to.
    > >
    > > I am trying to start an app under a specific ID from a windows
    > > service. It works great on Server 2000 but not 2003.
    Andrew Zimmer Guest

  13. #13

    Default Re: HELP! CreateProcessWithLogonW issue

    [email]zimmeracharter.net[/email] (Andrew Zimmer) wrote:
    > Actually, I the service is logged on as an admin on the machine. It
    > also has every local security policy setting imaginable.
    What is the return value from CreateProcessWithLogonW? What are
    the exact parameters that you pass in?

    If you enable "Detailed process tracking" in the auditing settings
    of your security policy, do you get any "process created" events
    in the security event log?
    Pavel Lebedinsky Guest

  14. #14

    Default Re: HELP! CreateProcessWithLogonW issue

    [email]zimmeracharter.net[/email] (Andrew Zimmer) wrote:
    > Actually, I the service is logged on as an admin on the machine. It
    > also has every local security policy setting imaginable.
    What is the return value from CreateProcessWithLogonW? What are
    the exact parameters that you pass in?

    If you enable "Detailed process tracking" in the auditing settings
    of your security policy, do you get any "process created" events
    in the security event log?
    Pavel Lebedinsky Guest

  15. #15

    Default Re: HELP! CreateProcessWithLogonW issue

    Hi - You suggest to use LogonUser and CreateProcessAsUser to replace
    CreateProcessWithLogonW, but does that really replcae it exactly? It is
    my understanding there are major differences between the two such as
    LogonUser and CreateProcessAsUser doesn't load the user's registry hive.
    thanks,
    -Matthew

    Yu Chen [MS] wrote:
    > Please ignore the "GINA" part below - it's a cut & paste from an earlier
    > reply to another thread.
    >
    >
    >>If your service is started under Local System account, this is a known
    >
    > issue
    >
    >>in Windows Server 2003 and XPSP2 - the CreateProcessWithLogonW API is
    >>changed to better handle the new process' use of desktop by utilizing
    >
    > "Logon
    >
    >>Sid" in the caller's token. However the local system token (under which
    >
    > your
    >
    >>GINA is running) doesn't have a "Logon sid" so the API failed when caller
    >
    > is
    >
    >>local system.
    >>
    >>You can use LogonUser and CreateProcessAsUser to achieve the same thing.
    >>
    >>This info will be included in next release of MSDN.
    >>
    >>--
    >>Yu Chen [MS]
    >>This posting is provided "AS IS" with no warranties, and confers no
    >
    > rights.
    >
    >>"Andrew Zimmer" <zimmeracharter.net> wrote in message
    >>news:485f505f.0408181919.5adec780posting.google .com...
    >>
    >>>I have the same issue with using CreateProcessWithLogonW on a 2003
    >>>machine. The application does not start. It doesn't even generate an
    >>>error message. I tried using the below example but it will not work
    >>>when trying to login to the same machine.
    >>>
    >>>Does anyone know how to deal with this Server 2003 security issue? I
    >>>have granted about every local security setting policy setting to both
    >>>the ID doing the impersonation and the ID it is trying to impersonate
    >>>to.
    >>>
    >>>I am trying to start an app under a specific ID from a windows
    >>>service. It works great on Server 2000 but not 2003.
    >>
    >>
    >
    >
    Matthew Wieder Guest

  16. #16

    Default Re: HELP! CreateProcessWithLogonW issue

    Hi - You suggest to use LogonUser and CreateProcessAsUser to replace
    CreateProcessWithLogonW, but does that really replcae it exactly? It is
    my understanding there are major differences between the two such as
    LogonUser and CreateProcessAsUser doesn't load the user's registry hive.
    thanks,
    -Matthew

    Yu Chen [MS] wrote:
    > Please ignore the "GINA" part below - it's a cut & paste from an earlier
    > reply to another thread.
    >
    >
    >>If your service is started under Local System account, this is a known
    >
    > issue
    >
    >>in Windows Server 2003 and XPSP2 - the CreateProcessWithLogonW API is
    >>changed to better handle the new process' use of desktop by utilizing
    >
    > "Logon
    >
    >>Sid" in the caller's token. However the local system token (under which
    >
    > your
    >
    >>GINA is running) doesn't have a "Logon sid" so the API failed when caller
    >
    > is
    >
    >>local system.
    >>
    >>You can use LogonUser and CreateProcessAsUser to achieve the same thing.
    >>
    >>This info will be included in next release of MSDN.
    >>
    >>--
    >>Yu Chen [MS]
    >>This posting is provided "AS IS" with no warranties, and confers no
    >
    > rights.
    >
    >>"Andrew Zimmer" <zimmeracharter.net> wrote in message
    >>news:485f505f.0408181919.5adec780posting.google .com...
    >>
    >>>I have the same issue with using CreateProcessWithLogonW on a 2003
    >>>machine. The application does not start. It doesn't even generate an
    >>>error message. I tried using the below example but it will not work
    >>>when trying to login to the same machine.
    >>>
    >>>Does anyone know how to deal with this Server 2003 security issue? I
    >>>have granted about every local security setting policy setting to both
    >>>the ID doing the impersonation and the ID it is trying to impersonate
    >>>to.
    >>>
    >>>I am trying to start an app under a specific ID from a windows
    >>>service. It works great on Server 2000 but not 2003.
    >>
    >>
    >
    >
    Matthew Wieder Guest

  17. #17

    Default Re: HELP! CreateProcessWithLogonW issue

    You should be able to do this on the same machine by first impersonating the
    user you want to authenticate as, then invking the process using WMI.

    Hey Yu - where were you with all the good advice when I was beating my head
    against the wall last month?
    charlie@nunya.com Guest

  18. #18

    Default Re: HELP! CreateProcessWithLogonW issue

    You should be able to do this on the same machine by first impersonating the
    user you want to authenticate as, then invking the process using WMI.

    Hey Yu - where were you with all the good advice when I was beating my head
    against the wall last month?
    charlie@nunya.com Guest

  19. #19

    Default Re: HELP! CreateProcessWithLogonW issue

    Is this addressing my question about the differences between
    CreateProcessWithLogonW and Yu's proscribed solution?

    [email]charlienunya.com[/email] wrote:
    > You should be able to do this on the same machine by first impersonating the
    > user you want to authenticate as, then invking the process using WMI.
    >
    > Hey Yu - where were you with all the good advice when I was beating my head
    > against the wall last month?
    Matthew Wieder Guest

  20. #20

    Default Re: HELP! CreateProcessWithLogonW issue

    Is this addressing my question about the differences between
    CreateProcessWithLogonW and Yu's proscribed solution?

    [email]charlienunya.com[/email] wrote:
    > You should be able to do this on the same machine by first impersonating the
    > user you want to authenticate as, then invking the process using WMI.
    >
    > Hey Yu - where were you with all the good advice when I was beating my head
    > against the wall last month?
    Matthew Wieder Guest

Page 1 of 2 12 LastLast

Similar Threads

  1. CF 4.5 issue
    By nakedbob in forum Coldfusion Server Administration
    Replies: 0
    Last Post: August 5th, 04:13 PM
  2. SQL issue in CF
    By Chris in forum Macromedia ColdFusion
    Replies: 4
    Last Post: March 1st, 04:11 PM
  3. Calling CreateProcessWithLogonW
    By Benjamin Bittner in forum ASP.NET Security
    Replies: 18
    Last Post: July 16th, 07:18 AM
  4. 4GL V7.32 issue
    By Malc P in forum Informix
    Replies: 1
    Last Post: August 26th, 09:02 AM
  5. IIS 5.1 and ASP.net issue
    By Curt_C [MVP] in forum ASP
    Replies: 0
    Last Post: August 1st, 12:10 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139